Accepting request 198717 from Base:System

- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332, bnc#839870) (forwarded request 198716 from Andreas_Schwab) OBS-URL: https://build.opensuse.org/request/show/198717 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=155
2013-09-13 12:43:41 +00:00 · 2013-09-13 12:43:41 +00:00 · 8cfb4a35f1
commit 8cfb4a35f1
parent 00c052112d fdc1d1569d
7 changed files with 87 additions and 0 deletions
--- a/glibc-testsuite.changes
+++ b/glibc-testsuite.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de

--- a/glibc-testsuite.spec
+++ b/glibc-testsuite.spec
@ -242,6 +242,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch

 ### 
 # Patches awaiting upstream approval
@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1

 %patch1000 -p1
+%patch1001 -p1

 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
--- a/glibc-utils.changes
+++ b/glibc-utils.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de

--- a/glibc-utils.spec
+++ b/glibc-utils.spec
@ -241,6 +241,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch

 ### 
 # Patches awaiting upstream approval
@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1

 %patch1000 -p1
+%patch1001 -p1

 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de
+
+- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332,
+  bnc#839870)
+
 -------------------------------------------------------------------
 Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de

--- a/glibc.spec
+++ b/glibc.spec
@ -242,6 +242,8 @@ Patch306:       glibc-fix-double-loopback.diff
 ###
 # PATCH-FIX-UPSTREAM Add O_TMPFILE to <fcntl.h>
 Patch1000:      fcntl-o-tmpfile.patch
+# PATCH-FIX-UPSTREAM Integer overflows in malloc
+Patch1001:      malloc-overflows.patch

 ### 
 # Patches awaiting upstream approval
@ -465,6 +467,7 @@ rm nscd/s-stamp
 %patch306 -p1

 %patch1000 -p1
+%patch1001 -p1

 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
--- a/malloc-overflows.patch
+++ b/malloc-overflows.patch
@ -0,0 +1,60 @@
+2013-09-11  Will Newton  <will.newton@linaro.org>
+
+	[BZ #15857]
+	* malloc/malloc.c (__libc_memalign): Check the value of bytes
+	does not overflow.
+
+	[BZ #15856]
+	* malloc/malloc.c (__libc_valloc): Check the value of bytes
+	does not overflow.
+
+	[BZ #15855]
+	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
+	does not overflow.
+
+Index: glibc-2.18/malloc/malloc.c
+===================================================================
+--- glibc-2.18.orig/malloc/malloc.c
+++ glibc-2.18/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   arena_get(ar_ptr, bytes + alignment + MINSIZE);
+   if(!ar_ptr)
+     return 0;
+@@ -3046,6 +3053,13 @@ __libc_valloc(size_t bytes)
+ 
+   size_t pagesz = GLRO(dl_pagesize);
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))
+@@ -3082,6 +3096,13 @@ __libc_pvalloc(size_t bytes)
+   size_t page_mask = GLRO(dl_pagesize) - 1;
+   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))